Forgot your password?
typodupeerror
Crime Networking The Internet IT

DNSChanger Shut-Down Means Internet Blackout Coming For Hundreds of Thousands 264

Posted by timothy
from the are-you-on-the-list dept.
Since you're reading this here, you're probably already aware that in the early hours of Monday, lots of DNS calls are going to fail as the FBI turns off servers from which Windows machines infected with DNSChanger have been served. New submitter SuperCharlie adds a reminder of the impending shutdown, and adds: "The FBI has a step-by-step method for you to see if you are infected in this PDF document, or you can go to dcwg.org for an automated check if you are so inclined."
This discussion has been archived. No new comments can be posted.

DNSChanger Shut-Down Means Internet Blackout Coming For Hundreds of Thousands

Comments Filter:
  • Pull the plug (Score:5, Insightful)

    by Dan541 (1032000) on Saturday July 07, 2012 @11:14PM (#40579801) Homepage

    Is anyone else sick of hearing about this?

    Just shut the servers down already and be done with it.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Please mod this guy up. If people are so dumb that they don't know they were infected, they are the first people who need to get unplugged from the Internet.

    • by Darinbob (1142669)

      I have not actually heard of this.

    • by arth1 (260657)

      Just shut the servers down already and be done with it.

      They should never have put alternative servers in place in the first place. Are the infected users paying for this service? I thought not.

      Pulling the plug immediately would have generated business for Geek Squad, Genius Bar and other computer services that keep local people employed.

    • by shentino (1139071)

      Even allowing them to remain online is aiding and abetting everything they do.

    • by antdude (79039)

      Yeah, at least our Internet will be slightly faster. ;)

  • They'll be getting lots of calls from all of the inept n00bs who got infected soon.
  • Why don't they... (Score:4, Interesting)

    by Annorax (242484) * on Saturday July 07, 2012 @11:30PM (#40579893) Homepage

    .. instead of shutting it down redirect all DNS requests to a page that says "Hey, butthead, your computer is infected. Fix it!"

    • by Osgeld (1900440) on Saturday July 07, 2012 @11:38PM (#40579943)

      cause it was originally infected by a page saying your computer is infected, here's how to fix it

      • Re:Why don't they... (Score:4, Interesting)

        by Malcolm Chan (15673) on Sunday July 08, 2012 @12:14AM (#40580085)

        OK, so it'll probably work, then? These were the users who were willing to do it the first time, so why not a second time?

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          Because it will work a second time... and a third... and a fourth... If you redirect morons to a "you're infected!" message, then they will be easily fooled by the fake one they receive tomorrow.

          • by bky1701 (979071)
            You mean like they were last time? What is your point?
            • Re: (Score:2, Insightful)

              by Anonymous Coward

              The point is if you teach them that sometimes it actually does fix problems then they are far more likely to keep clicking them.

      • In this case, they give you instructions to fix it. If you are on the net, and dont know what DNS is, you're on your own
        The same thing that happens if you drive a car and dont know how to change a tyre
    • Re:Why don't they... (Score:5, Interesting)

      by techno-vampire (666512) on Saturday July 07, 2012 @11:44PM (#40579969) Homepage
      One of the easiest ways to infect computers is to put up a website with a phony virus scan and tell everybody that their system's infected, then offer to "clean" it for them. Most of us are trying to get our friends and family to understand that when a random website tells them that their computer's infected, it's a scam. What you're suggesting would just make our lives that much harder. Having all of their DNS fail, however, is going to make these people understand that there's something wrong, even if they don't have a clue about what's happening.
      • Maybe it could just redirect them to a page that tells them they should contact their Internet Service Provider for assistance fixing their DNS.

        • by kasperd (592156)

          Maybe it could just redirect them to a page that tells them they should contact their Internet Service Provider for assistance fixing their DNS.

          Sensible idea. But actually if each ISP set up the page instead, it could be customized for that ISP, which in some sense would be even better. All the ISP would have to do is to route the IPs of the malicious DNS servers to one machine which they control themselves and have that reply with the same IP address to every query.

          BTW. Why are we still using the term I

    • by toygeek (473120) on Sunday July 08, 2012 @01:15AM (#40580305) Homepage Journal

      Various ISP's have been doing this for a while. I know of one Very Big ISP that does HTML injections, emails, and snail mail letters to their customers saying "Hey, butthead, your computer is infected. Fix it!" and guess what happens?

      Big. Fat. Nothing.

      Joe Jackass gets that letter in his mail with his bill, and goes "Huh, wonder what that is" and then trashes.

      And the gorgeous part of it? Monday, guess whose fault its going to be? That's right, the ISP's.

      People are ignorant of it, and when presented with facts, their ignorance turns into anger, and their anger turns to blame, and suddenly its somebody elses fault, so they feel justified in their ignorance.

      Yes, I do tech support in a call center for a living. F'ing kill me now. Before Monday, please.

      • by toygeek (473120)

        And the worst part of it is is that half of the people I work with don't understand DNS well enough to understand the full scope of the problem.

      • by interkin3tic (1469267) on Sunday July 08, 2012 @02:46AM (#40580589)

        Yes, I do tech support in a call center for a living. F'ing kill me now. Before Monday, please.

        Given that this population of your customers have proven themselves incompetent, couldn't you just hang up on them all day long and reason that they won't figure out how to give you negative feedback?

      • by bertok (226922)

        Reminds me of desktop SOE "cutovers" on a weekend. We'd send out mass emails to everyone a week before the cutover, a day before, and then leave printed-out "cheat sheets" with key information on each keyboard on the Friday night.

        Come Monday morning, there's always at least a dozen managers on the phone to helpdesk complaining that they weren't notified of the changes. Not the ordinary workers, they always handle the changes just fine, technical teething issues aside. It's always the managers.

      • by baegucb (18706)

        Simple solution. Instead of saying "Hi, this is toygeek at random-ISP, how can I help you?" try saying "Hi, this is most-hated-guy-at-work, how can I help you?". And then hang up. Repeatedly. Worked for someone I know.

  • by zedrdave (1978512) on Saturday July 07, 2012 @11:33PM (#40579911)
    "dcwg.org"? seriously?

    Let me get this straight: the FBI is recommending people go to a nondescript .org website to run a security check on their computer?

    Can I next invite them to go to submit their information at fswrxt.net to check that their credit card wasn't hacked?
    • by theskipper (461997) on Saturday July 07, 2012 @11:47PM (#40579985)

      What's wrong with a four letter .org? They obviously vetted it. There was also a mention of "dns-ok.us". That domain looks even funkier but it's perfectly legit.

    • by bmo (77928) on Sunday July 08, 2012 @12:27AM (#40580133)

      >nondescript .org

      DCWG is DNS Changer Working Group

      How is it nondescript? It's a friggin' acronym for the name of the group.

      Tell me, how descriptive is slashdot.org? Why are you here on a site that has a nondescript.org name?

      >modded informative

      Right. There's no accounting for taste among mods.

      --
      BMO

      • by fatphil (181876) on Sunday July 08, 2012 @05:09AM (#40580913) Homepage
        > >nondescript .org
        >
        > DCWG is DNS Changer Working Group
        >
        > How is it nondescript? It's a friggin' acronym for the name of the group.

        Only if you know in advance there's such a working group. And you know in advance there's malware with that name. The people who are previously aware of such things are probably not the people who are going to still be infected.

        I'm sure the grandparent poster could come up with an sensible-sounding acronym based on the dodgy domain he proffered. Being an acronym of something that sounds sensible does *not* make it trustworthy.

        You need to take a step back. You are unable to put yourself in the shoes of those who do not have the prior information that you have.

        The dns-ok domains are just as untrustworthy intrinsically. Why should I trust those, but not trust equivalent domains with "dns-check" or "dns-safe" in their name? Why is "ok" OK, but "safe" not safe? Explain that to someone who does not have prior knowledge about the situation.

        It's a government-funded and supported effort, the domain should have been either under .gov; end of.
        • by bmo (77928)

          Your entire assertion is that since it's an .org instead of a .gov means it's not trustworthy, implying it's the same a .biz or something a spammer would use. .org, .gov, .mil, .com, .edu, and .us were all the original TLDs.

          Your argument rests on nonsense.

          --
          BMO

        • Only if you know in advance there's such a working group. And you know in advance there's malware with that name. The people who are previously aware of such things are probably not the people who are going to still be infected.

          How could they not know? For the last week, this has been on local TV news, NPR, CNN, Fox, and probably others that are not on my cable TV system or broadcast in my area.

          And while we are talking about what people do or don't know, what's wrong with a redirect to a web page that says your computer is infected and you need to fix it? Not "click here to fix it", but just "you need to get it fixed." That is NOT training them to click on unknown links.

    • by collar (34531)
      In Australia they've promoted http://dns-ok.gov.au/ [dns-ok.gov.au], which to me seems like a good idea (utilising the trust expectation of a .gov.au site) rather than going with a 3rd party site.
    • by subreality (157447) on Sunday July 08, 2012 @05:40AM (#40581007)

      People who think twice about clicking this link generally aren't affected by dnschanger in the first place.

  • by 1u3hr (530656) on Sunday July 08, 2012 @12:14AM (#40580089)
    "DSNChanger Shut-Down Means Internet Blackout Coming For Hundreds of Thousands"

    "DSNChanger"?

    And this is yet another dupe of this tedious "story", last just two days ago.

    FBI To Shut Down DNSChanger Servers Monday -- But Should It Cut Off 300k PCs? [slashdot.org]
    Posted by Soulskill on Thu Jul 05, '12 04:18 AM

  • by michaelmalak (91262) <michael@michaelmalak.com> on Sunday July 08, 2012 @12:26AM (#40580131) Homepage

    DSNChanger Shut-Down

    And a thousand Microsoft Access fat clients lose access to their back-end databases.

  • by mcbridematt (544099) on Sunday July 08, 2012 @12:46AM (#40580211) Homepage Journal

    DNSChanger infections by AS [dcwg.org]

    Top infected ISPs:

    • Comcast / AS7922 - 10211 unique IPs
    • BSNL (India) / AS9829 - 13818 unique IPs
    • France Telecom / AS3215 - 5075 unique IPs

    source [dcwg.org]

    • That's not as interesting as browser/OS stats would be.
    • Also, keep in mind that most large ISPs have numerous ASNs. Comcast, for example, has somewhere around 50.
      • by kasperd (592156)

        Also, keep in mind that most large ISPs have numerous ASNs. Comcast, for example, has somewhere around 50.

        No wonder the AS numbers are running out. I cannot imagine any technical reason Comcast would need that many AS numbers. But 50 AS numbers for a single ISP has got to be unusual. I would guess there are too many ISPs in the world for them to have that many AS numbers each.

  • How do I know the FBI posted a PDF?
    Because it doesn't have any logos or official headings!

  • by GNUALMAFUERTE (697061) <almafuerte.gmail@com> on Sunday July 08, 2012 @03:53AM (#40580757)

    Keeping the server up for so long was a mistake. Not warning users was a huge mistake too.

    What I would have done:

    Keep the server up for 10 days.
    Redirect all requests to a page that says "Your computer has been compromised ... blah blah blah. Your internet connection will stop working in N days. Click here to continue to the site you where visiting".

    Simple yet effective.

    • by Osgeld (1900440)

      They should have just pulled the plug, fuck warnings, these people havent the slightest idea in the first place, you think another scam like site is going to warrant any action?

      fuck them, let tech support figure it out. Smart users will investigate, dumb ones will pay 75 bucks an hour for a 30 second fix just like they always do, cause they have no OS disk and half the software they have is copies.

      (I was a tech for many years, back when it was somewhat respectable)

    • by fatphil (181876) on Sunday July 08, 2012 @05:18AM (#40580945) Homepage
      So they should have injected a popup that said "your computer may be infected - click here for a free virus scan"?

      You *really* didn't think about your post before clicking 'submit', did you? It is only "simple" in the way the word is euphemistically used to mean "stupid".
      • by DarkOx (621550)

        The right way to handle it was just to pull the plug. Better to let the users find out something is wrong and get the box looked at properly than to continue running a vulnerable machine. I agree with you about the problem of posting a "you may be infected page", what you could do is post a page that says "You may be infected. Obviously you should not trust anything your read online. Please contact your ISPs support services or find a support provider in the yellow pages."

    • by kasperd (592156)

      Redirect all requests to a page that says "Your computer has been compromised ... blah blah blah. Your internet connection will stop working in N days. Click here to continue to the site you where visiting".

      Simple yet effective.

      I am sure they would have done something like that if it had been possible. But it is not. Once you hijack the first connection attempt, the browser is going to cache the DNS lookup. Clicking the second link is just going to go back to the hijack page again.

      You can get such hijacking mostly working if you do it at the routing level (like most hotspot providers do). But you cannot hijack the connection at the routing level, when you only control DNS.

  • good riddance (Score:5, Interesting)

    by Tom (822) on Sunday July 08, 2012 @05:06AM (#40580911) Homepage Journal

    Until malware seriously impacts those who are affected by it, interest by people to defend against it will remain minimal. Spammers thrive in this environment, because people don't care and can get away with it.

    I am still for a forced disconnect of any spamming botnet member until he has cleaned up his machine. When you drive your car on a public road, you have responsibility for it being roadworthy. Same logic applies to computers on the Internet. If you don't connect it to anything, I don't care how many kinds of malware your machine contains. If you go online, and you don't have working headlights, so to speak, you need to be taken off the road.

    I've had this argument inside ISPs. I am disgusted to this day by their cowardice. They fear customers would leave for competitors. Yeah, they probably would. That's why we need laws and regulations here, so everyone is in the same boat, at least within the same jurisdiction.

    So I applaud this move, though I think it should've come much earlier.

    • I've had this argument inside ISPs. I am disgusted to this day by their cowardice. They fear customers would leave for competitors.

      An Australian ISP (Exetel?) used to have an informal policy that if a customer rang about something stupid, and insisted and shouted about the stupid thing, the owner himself would contact the customer, cancel the contract, refund their connection fee, and give them 30 days to take their business elsewhere. His feeling was that customer service was a major cost, so it was cheaper to dump them than pay for their argumentative stupidity.

      I am still for a forced disconnect of any spamming botnet member until he has cleaned up his machine.

      Years ago I argued for fines for even unknowingly sending spam. Ie, fine

  • Since you're reading this here, you're probably already aware...

    Yes, yes we are. So why are you telling us again?

  • It's a much MUCH smaller deal than has been suggested.

    At this point, the only way you have much chance of being impacted, is if someone's been totally negligent in the maintenance of the computer, and just does simply no security work at all for the computer and their LAN, or you are in a position of providing support for such a user, for network connectivity.

    And I say that, because by now any DNSChanger impacted user has had a year to recognize the problem, and it's been a well-publicized threat.

You are in a maze of UUCP connections, all alike.

Working...